io.jsonwebtoken.security.WeakKeyException error - even when key is 70 characters

trouble · May 13, 2019, 2:56am

Hi
Using JWT, noticed my log file is growing really big recently. I noticed that everytime we are connecting to to Kibana though JWT, i am seeing this line:

io.jsonwebtoken.security.WeakKeyException: The verification key's size is 128 bits which is not secure enough for the HS256 algorithm.  The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HS256 MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size).  Consider using the io.jsonwebtoken.security.Keys class's 'secretKeyFor(SignatureAlgorithm.HS256)' method to create a key guaranteed to be secure enough for HS256.  See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.

Our key is 70 characters long, so doesnt that mean its 560 bits (70 x 8)? If thats the case how come i am seeing this?

I am running 1.17.6

sscarduzio · May 13, 2019, 5:18am

I think you are right, the jjwt library is comparing the key string length in characters, while the specs talks about bits.

From the cited spec:

A key of the same size as the hash output (for instance, 256 bits for “HS256”) or larger MUST be used with this algorithm.

trouble · May 13, 2019, 5:33am

should i increase it to 256 characters? will this not slow performance? Or can i just disable this from coming up in my log files?

trouble · May 13, 2019, 5:41am

Actually that still doesnt fix it. I changed my key to 276 characters - and still getting the same message in the logs. I dont have to restart ES do i? I mean its just the key that has changed

sscarduzio · May 14, 2019, 1:24am

in theory, in-index settings reloading should take care of re-initialising everything. If a restart is needed, it’s a bug.